SSL Certificate Installation
-
alexeikarp
- Posts: 1
- Joined: Wed Feb 12, 2014 7:36 pm
SSL Certificate Installation
Greetings fellow forum members.
First and foremost, I wanted to express my sincere gratitude to the Vesta team for building this amazing CP. As soon as I'll be able to afford paid support, I'll get it :).
For now, I'm relying on the community - and a very helpful one from what I can see in the forums so far! :)))
My issue us the following: My attempts at installing a Comodo SSL Certificate result in the following:
Editing Domain → Error: ssl certificate key pair is not valid
My domain (as setup in CP) is domain.com .
www.domain.com is added as an alias.
1) I have requested a CSR for www.domain.com via the control panel by clicking here: http://d.pr/i/u3GV
2) I have updated the CSR request form as per my needs (with WWW): http://d.pr/i/1G0W
3) I arrived at the page with the generated CSR data http://d.pr/i/neRG
4) I pasted the CSR at the SSL authority http://d.pr/i/D4pz
5) Entered appropriate info for the SSL Certificate http://d.pr/i/l5u5
6) I then received 3 files from the SSL Authority:
- Root CA Certificate - AddTrustExternalCARoot.crt
- Intermediate CA Certificate - PositiveSSLCA2.crt
- Your PositiveSSL Certificate - www_domain_com.crt
7)Finally, I came back to the edit domain section of the CP and pasted the following data in the appropriate fields of the form:
http://d.pr/i/mIwx
- Your PositiveSSL Certificate - www_domain_com.crt ==> SSL Certificate (Form Field)
- SSL Key (from Generating CSR Vesta Interface) ==> SSL Key (Form Field)
- Root CA Certificate FOLLOWED BY Intermediate CA Certificate ==> SSL Certificate Authority / Intermediate (optional) (Form Field).
I have also tried my luck without the Intermediate CA Certificate or without the Root CA Certificate. Alas...
Editing Domain → Error: ssl certificate key pair is not valid
Now obviously I'm doing something wrong. Any suggestions as to what?
Thank you and have a nice day!
First and foremost, I wanted to express my sincere gratitude to the Vesta team for building this amazing CP. As soon as I'll be able to afford paid support, I'll get it :).
For now, I'm relying on the community - and a very helpful one from what I can see in the forums so far! :)))
My issue us the following: My attempts at installing a Comodo SSL Certificate result in the following:
Editing Domain → Error: ssl certificate key pair is not valid
My domain (as setup in CP) is domain.com .
www.domain.com is added as an alias.
1) I have requested a CSR for www.domain.com via the control panel by clicking here: http://d.pr/i/u3GV
2) I have updated the CSR request form as per my needs (with WWW): http://d.pr/i/1G0W
3) I arrived at the page with the generated CSR data http://d.pr/i/neRG
4) I pasted the CSR at the SSL authority http://d.pr/i/D4pz
5) Entered appropriate info for the SSL Certificate http://d.pr/i/l5u5
6) I then received 3 files from the SSL Authority:
- Root CA Certificate - AddTrustExternalCARoot.crt
- Intermediate CA Certificate - PositiveSSLCA2.crt
- Your PositiveSSL Certificate - www_domain_com.crt
7)Finally, I came back to the edit domain section of the CP and pasted the following data in the appropriate fields of the form:
http://d.pr/i/mIwx
- Your PositiveSSL Certificate - www_domain_com.crt ==> SSL Certificate (Form Field)
- SSL Key (from Generating CSR Vesta Interface) ==> SSL Key (Form Field)
- Root CA Certificate FOLLOWED BY Intermediate CA Certificate ==> SSL Certificate Authority / Intermediate (optional) (Form Field).
I have also tried my luck without the Intermediate CA Certificate or without the Root CA Certificate. Alas...
Editing Domain → Error: ssl certificate key pair is not valid
Now obviously I'm doing something wrong. Any suggestions as to what?
Thank you and have a nice day!
Re: SSL Certificate Installation
Easy ..
i have the same certificate from Comodo
SSL Certificate : your www_mydomain_com.crt
SSL Key : your server RSA Private Key
SSL Certificate Authority : your PositiveSSLCA2.crt
Hope it helps you
Regards
JP
i have the same certificate from Comodo
SSL Certificate : your www_mydomain_com.crt
SSL Key : your server RSA Private Key
SSL Certificate Authority : your PositiveSSLCA2.crt
Hope it helps you
Regards
JP
Re: SSL Certificate Installation
I did the exact same thing as the OP
However i got 4 crt's
When i came at comodo's website i had to choose my server enviroment, as i am on centOs and vestacp has nginx + apache i did not now what to choose.So i choosed OTHER.
The files i got:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
mydomain_com.crt (i made it without www)
Tried so often suddenly Vesta said: changes saved (but i did not trusted it).
I went to my site and tried it.
Ofcourse FF complained it is not trusted.
i run the analyzer on comodo (took pretty long) , finally the result came that it used a self-signed ssl.
I do not know what to do anymore.
At the moment of typing i opened comodo to make a new certificate...... but what should i do? (and how often i can do that?)
However i got 4 crt's
When i came at comodo's website i had to choose my server enviroment, as i am on centOs and vestacp has nginx + apache i did not now what to choose.So i choosed OTHER.
The files i got:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
mydomain_com.crt (i made it without www)
Tried so often suddenly Vesta said: changes saved (but i did not trusted it).
I went to my site and tried it.
Ofcourse FF complained it is not trusted.
i run the analyzer on comodo (took pretty long) , finally the result came that it used a self-signed ssl.
I do not know what to do anymore.
At the moment of typing i opened comodo to make a new certificate...... but what should i do? (and how often i can do that?)
Re: SSL Certificate Installation
Hello,
I have the identical issue. I am certain that I have the correct cert and key contents in their respective input boxes, but when I enter the Comodo SSL .ca-bundle contents in "SSL Certificate Authority / Intermediate (optional)" I always receive the error "Error: ssl certificate authority is not valid" and if I leave it blank I get "Error: certificate authority not found". I would greatly appreciate some help getting this working.
I have the identical issue. I am certain that I have the correct cert and key contents in their respective input boxes, but when I enter the Comodo SSL .ca-bundle contents in "SSL Certificate Authority / Intermediate (optional)" I always receive the error "Error: ssl certificate authority is not valid" and if I leave it blank I get "Error: certificate authority not found". I would greatly appreciate some help getting this working.
Re: SSL Certificate Installation
To follow up on this, on the basis of my expectation that this issue was due to the CA bundle from Comodo being in the wrong order for Vesta's CA text field expectations, I tested reordering the items in the bundle and discovered that some orders do not get a CA error. So that no one else has to repeat my tedious work, here are the results.
If you choose "other" when getting a Comodo PositiveSSL cert and receive three different CA certs from them, you have to make your own Vesta-compatible CA bundle with them by concatenating them into a single file. Here are the CA file orders that I found that Vesta would save instead of throwing a CA error:
A CA error was thrown with the following combinations or individual files being added to the CA text field in Vesta:
If you are instead working with Comodo's CA bundle, it is shipped in this order, which isn't compatible with Vesta:
So it has to be reordered so that the first chunk is no longer first (as you can see from the five working examples above, it either has to be moved to the second or third position so that either AddTrustExternalCARoot.crt or COMODORSAAddTrustCA.crt is in the first position, and there is one last option in which the last chunk is completely removed and the two remaining chunks have their positions swapped).
Now, according to this post above from this same thread:
viewtopic.php?f=11&t=4896&p=12958#p12706
It is possible to have an accepted CA entry in Vesta from Comodo without it actually working as an SSL cert. I don't know yet whether all five options I showed above all really work, or if they just don't throw an error when being installed in Vesta and only one of them works fully. I will have to get a little farther along in my site migration before I can confirm or disprove that the five non-error options above all work to create a secure site, or whether only some of them are fully functional.
It would be great if others from this thread having the same issue could see if my advice here helps them get past these errors and then verify whether all five of the working combinations or just some subset actually perform to secure the connections as well so that other people searching for a solution to this issue can get the whole fix at once.
If you choose "other" when getting a Comodo PositiveSSL cert and receive three different CA certs from them, you have to make your own Vesta-compatible CA bundle with them by concatenating them into a single file. Here are the CA file orders that I found that Vesta would save instead of throwing a CA error:
Code: Select all
AddTrustExternalCARoot.crt PLUS COMODORSAAddTrustCA.crt PLUS COMODORSADomainValidationSecureServerCA.crt
AddTrustExternalCARoot.crt PLUS COMODORSADomainValidationSecureServerCA.crt PLUS COMODORSAAddTrustCA.crt
COMODORSAAddTrustCA.crt PLUS AddTrustExternalCARoot.crt PLUS COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt PLUS COMODORSADomainValidationSecureServerCA.crt PLUS AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt PLUS COMODORSADomainValidationSecureServerCA.crt
Code: Select all
COMODORSADomainValidationSecureServerCA.crt PLUS AddTrustExternalCARoot.crt PLUS COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt PLUS COMODORSAAddTrustCA.crt PLUS AddTrustExternalCARoot.crt
AddTrustExternalCARoot.crt PLUS COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt PLUS COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt PLUS AddTrustExternalCARoot.crt
COMODORSADomainValidationSecureServerCA.crt PLUS AddTrustExternalCARoot.crt
COMODORSADomainValidationSecureServerCA.crt PLUS COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
Code: Select all
COMODORSADomainValidationSecureServerCA.crt PLUS COMODORSAAddTrustCA.crt PLUS AddTrustExternalCARoot.crtNow, according to this post above from this same thread:
viewtopic.php?f=11&t=4896&p=12958#p12706
It is possible to have an accepted CA entry in Vesta from Comodo without it actually working as an SSL cert. I don't know yet whether all five options I showed above all really work, or if they just don't throw an error when being installed in Vesta and only one of them works fully. I will have to get a little farther along in my site migration before I can confirm or disprove that the five non-error options above all work to create a secure site, or whether only some of them are fully functional.
It would be great if others from this thread having the same issue could see if my advice here helps them get past these errors and then verify whether all five of the working combinations or just some subset actually perform to secure the connections as well so that other people searching for a solution to this issue can get the whole fix at once.
Re: SSL Certificate Installation
I've had the chance to fully install and test these CA certificate bundle configurations now and it's correct that they do not all create a secure connection according to checkssl.com (although they all show a lock icon in a browser).
Out of the five entries above that can be saved, these two bundle orders create a secure connection according to checkssl.com:
These three do not, and instead give an error of missing chain certificates:
This means that if you are using the cabundle file that Comodo ships, which contains the CA certs in this order:
You would need to move the last chunk to the beginning and then it should work. Alternately, it should also work if you instead move the second chunk to the beginning.
Out of the five entries above that can be saved, these two bundle orders create a secure connection according to checkssl.com:
Code: Select all
AddTrustExternalCARoot.crt PLUS COMODORSADomainValidationSecureServerCA.crt PLUS COMODORSAAddTrustCA.crt
COMODORSAAddTrustCA.crt PLUS COMODORSADomainValidationSecureServerCA.crt PLUS AddTrustExternalCARoot.crtCode: Select all
COMODORSAAddTrustCA.crt PLUS AddTrustExternalCARoot.crt PLUS COMODORSADomainValidationSecureServerCA.crt
AddTrustExternalCARoot.crt PLUS COMODORSAAddTrustCA.crt PLUS COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt PLUS COMODORSADomainValidationSecureServerCA.crtCode: Select all
COMODORSADomainValidationSecureServerCA.crt PLUS COMODORSAAddTrustCA.crt PLUS AddTrustExternalCARoot.crtRe: SSL Certificate Installation
I've been wandering around for days trying to fix my SSL problem which look like the one in this topic unfortunately my knowledge of SSL is not very good so I may be asking a stupid question.
Like osc2nuke I ordered a EssentialSSL used the vesta CSR generator ok and submitted ok.
I received back 4 certificates
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
mydomain_eu.crt
From hwname's excellent work I can deduce the order of adding the files
SSL Certificate---------------------------- AddTrustExternalCARoot.crt
SSL Key------------------------------------- COMODORSADomainValidationSecureServerCA.crt
SSL Certificate / Intermediate --- COMODORSAAddTrustCA.crt
But this leaves me wondering what happens to the 4th certificate mydomain_eu.crt?
I've pretty well gone over most of the Comodo and Vesta documentation and forum support without any success so far so I hope someone can point me in the right direction
Like osc2nuke I ordered a EssentialSSL used the vesta CSR generator ok and submitted ok.
I received back 4 certificates
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
mydomain_eu.crt
From hwname's excellent work I can deduce the order of adding the files
SSL Certificate---------------------------- AddTrustExternalCARoot.crt
SSL Key------------------------------------- COMODORSADomainValidationSecureServerCA.crt
SSL Certificate / Intermediate --- COMODORSAAddTrustCA.crt
But this leaves me wondering what happens to the 4th certificate mydomain_eu.crt?
I've pretty well gone over most of the Comodo and Vesta documentation and forum support without any success so far so I hope someone can point me in the right direction
Re: SSL Certificate Installation
Hello,morcom wrote:SSL Certificate---------------------------- AddTrustExternalCARoot.crt
SSL Key------------------------------------- COMODORSADomainValidationSecureServerCA.crt
SSL Certificate / Intermediate --- COMODORSAAddTrustCA.crt
First, sorry for my english, is not my primary language and I can't write it properly.
I don't now if is too late for you and maybe are solved your problem, but I had the same problem and the solution (thanks to hwname) for me was:
SSL Certificate: your_domain_com.crt
SSL Key: The SSL Key that you have created in CSR Generation, in Vesta
SSL Certificate / Intermediate: Use the other three certificates sended by Comodo in this order: COMODORSADomainValidationSecureServerCA.crt PLUS COMODORSAAddTrustCA.crt PLUS AddTrustExternalCARoot.crt
For me, this configuration is working properly.
Bye!!
Re: SSL Certificate Installation
Guys i have a question, the COMODORSADomainValidationSecureServerCA.crt and COMODORSAAddTrustCA.crt and AddTrustExternalCARoot.crt do i hqve to copy whats inside them and paste it in thos order in authority or what?
Re: SSL Certificate Installation
+1 Many thanks Trentor. This worked perfectly for me so your English is understandable !Trentor wrote:Hello,morcom wrote:SSL Certificate---------------------------- AddTrustExternalCARoot.crt
SSL Key------------------------------------- COMODORSADomainValidationSecureServerCA.crt
SSL Certificate / Intermediate --- COMODORSAAddTrustCA.crt
First, sorry for my english, is not my primary language and I can't write it properly.
I don't now if is too late for you and maybe are solved your problem, but I had the same problem and the solution (thanks to hwname) for me was:
SSL Certificate: your_domain_com.crt
SSL Key: The SSL Key that you have created in CSR Generation, in Vesta
SSL Certificate / Intermediate: Use the other three certificates sended by Comodo in this order: COMODORSADomainValidationSecureServerCA.crt PLUS COMODORSAAddTrustCA.crt PLUS AddTrustExternalCARoot.crt
For me, this configuration is working properly.
Bye!!
Did you use this for your VestaCP Admin as well? or just a website hosted by VestaCP?